Cybersecurity: The Next Business System

The deadline for contractors to bring their information systems into compliance with the framework of the government’s cyber standards was Dec. 31, 2017. Now more than a year later, the industry has been preparing for the next phase – government validation.

Recently, the Department of Defense (DoD) released plans to audit contractors’ supply chain management with the Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding Clause 252.204-7012. This clause requires many DoD contactors to comply with the cybersecurity framework criteria from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Contactors are required to flow down this clause to subcontractors where subcontract performance will involve DoD Controlled Unclassified Information (CUI).

To effectively implement the cybersecurity requirements set forth in DFARS 252.204-7012 and NIST SP800-171, Under Secretary of Defense Ellen Lord has directed the Defense Contract Management Agency (DCMA) to validate contractor compliance. Specifically, the DCMA is directed to leverage its review of a contractor’s purchasing system (DFARS 252.244.7001) in order to address compliance by:

  • Review of contractor procedures to ensure proper contractual flow down of DoD CUI requirements to their Tier 1 level suppliers.
  • Review of contractor procedures to assess compliance of their Tier 1 suppliers with the DFARS Clause 252.204-7012 and NIST SP 800-171.

If the DCMA does not administer your contracts, Lord stated, “We will work with representatives of those communities to implement a similar solution.”

This memorandum highlights the importance of setting processes and being prepared for the upcoming reviews; clearly action is required, and cybersecurity requirements should not be taken lightly. In addition, as a prime contractor, you are required to flow down this clause and demonstrate that your subcontractors are compliant as well. Strong supply chain management processes are imperative for compliance.

As the DCMA works to implement this directive into the CPSR process, DHG will continue to monitor progress and provide updates through the GovCon Report – A Publication of DHG GovCon, our monthly webinars and at the Annual Government Contracting Conference on May 2, 2019, in Tysons Corner.

If you have concern about your company’s status with regard to compliance with DFARS 252.204-7102, or have questions about the criteria contained in NIST SP 800-171, please reach out to the DHG GovCon team for an assessment or to advisory on developing an action plan.

DHG Contact

Tom Tollerton, CISSP, CISA, QSA
Senior Manager, DHG IT Advisory
itadvisory@dhg.com